Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document:

• 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document
  • VirusTotal Report
  • Hybrid-Analysis Report
  • SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4

Additional Word document download locations:

• 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/
• 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/
• 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/
• 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/
• 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/
• 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/
• 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/
• 146.185.16.121 – britbuys.co.uk/MMQKS-13-50456-doc-May-04-2017/
• 186.233.185.77 – bbcinfo.com.br/Cust-Document-OR-23-D181969/
• 212.1.208.253 – kineticwebdesign.co.uk/ORDER.-0674979321/
• 192.185.88.17 – hand-ip.com/Cust-Document-5777177439/
• 67.227.229.37 – bobrow.com/ito-6r-w193-pkr.doc
• 81.169.145.158 – wyskocil.de/ORDER-525808-73297/
• 192.254.231.89 – citylifeevents.co.uk/ORDER.-1198574243/
• 146.185.181.231 – proiecte-pac.ro/ORDER.-5883789520/
• 85.25.226.200 – zypern-aktiv.de/wp-content/plugins/wordfence/Cust-0396638436/
• 66.7.193.7 – sublevel3.us/Cust-5226149026/
• 205.204.94.16 – forthtechnologies.com/CUST.-Document-SHO-10-K839208/
• 66.198.240.165 – highbeamshoes.com/Cust-XNG-91-EO055424/
• 5.249.147.247 – itgastaldi.com/CUST.-Document-QGU-29-Z264146/
• 67.227.212.192 – wlrents.com/CUST.-Document-YDI-04-GQ389557/
• 89.187.85.6 – redkitecottages.com/Cust-Document-VMH-46-TJ804065/
• 173.236.147.244 – thegilbertlawoffice.com/m-9q-d054-gu.doc/
• 65.39.128.43 – sheyana.com/ORDER.-Document-8187485601/
• 192.185.73.127 – gregbenjamin.com/CUST.-Document-TIJ-37-J534842/

Geodo/Emotet download locations:

• 209.97.242.26 – dynamat.com/tou1yn-sq755-x/
• 69.163.152.76 – sheacorp.com/ism3qo-u416-kjdd/
• 74.55.90.58 – bullridemania.com/vs9r-z679-yg/
• 144.208.69.18 – melodywriters.com/um5tc-c110-srd/
• 79.96.237.135 – masil.pl/gfx/mhl7mcv-hb478-qy/
  • VirusTotal Report
  • Hybrid-Analysis Report
  • SHA256: b254d81796eb96329c14797bc43e4fbf62eb08c4eb21afea084b425bc867c5b9

Additional Geodo/Emotet download locations:

• 148.251.213.108 – arrowlink.com/uk1ej-kt757-md/
• 80.150.6.143 – stromkontor.org/b8hcg-o392-gj/
• 192.185.145.58 – danmichaelis.com/uf1t-g513-xa/
• 143.95.238.54 – mmaacombatzone.com/wse9o-jr465-pguf/

C2s:

• 81.88.24.211:443
• 87.106.189.18:8080
• 66.175.215.16:8080
• 103.219.22.63:443
• 139.59.33.202:8080
• 50.116.5.69:443
• 62.210.36.193:8080
• 62.75.181.217:8080
• 74.50.57.220:8080
• 75.25.153.57:443
• 79.170.95.202:7080
• 87.106.148.126:443
• 92.51.129.235:443
• 78.47.56.162:443

Secondary downloads:

• 72.249.55.86 – incadesc.com.mx/dephm8uabdpkb83arcml/
  • VirusTotal Report
  • Hybrid-Analysis Report
  • SHA256: a56498a062e95f7030ed92b740716004bf3433d3107daed1c2082b08aa1040ad

Infection Chain:

My infection chain didn’t begin with the email. Instead, I had an alert in a SIEM from a Wildfire event catching return HTTP traffic from hand-ip.com/Cust-Document-5777177439/ at 192.185.88.17. The return HTTP traffic was attempting to deliver the malicious Word document to the internal host. While I didn’t receive the malspam it would seem as though they’re sending out phishing emails with malicious links that point to the malicious Word documents being hosted on various compromised websites.

I decided to download the Word document to see what was going on. Once I downloaded the Word document I opened it and was presented with the familiar social engineering tricks of enabling editing and then enabling content:

Once the user enables both editing and content their host will make GET requests for the malware payload being hosted on numerous compromised websites. Below is an example of network traffic up to this point:

The Hybrid-Analysis report for the Word document shows the processes and the PowerShell script used to download the malware:

The malware payload is dropped in %Temp% and then moves itself to %AppData% under a random folder:

MspthrdWake’s .lnk file is created inside the Startup folder in the system Start Menu so it can automatically run whenever the system starts:

Ealier versions would use HTTP POST requests containing the encrypted data to the C2 server. However, newer variants are using GET requests to send the encrypted data within a Base64 encoded cookie string:

The C2 server responds with a fake “404 Not Found” status; however, the body is full of encrypted data.

During one of my infections I also noticed another GET requests for incadesc.com.mx/dephm8uabdpkb83arcml/. This delivered the file “3658854804.exe”:

Around the same time I got this executable I noticed another user on Twitter mention it as well:

The other executable, “103171900.exe”, scanned clean on VirusTotal. File details shows it to be autoconv.exe from Auto File System Conversion Utility by Microsoft Corporation.

https://www.virustotal.com/en/file/2ab981cfb743f3573d1dde48d6496fe8c315ff3c492c41711f4cb6b2024e0ec3/analysis/

Here is some of the C2 GET requests traffic filtered in Wireshark:

Download the malicious Word document (password is infected):

Malicious Word Doc.zip

All the other files can be downloaded via the Hybrid-Analysis reports.

Until next time!

References:

1. http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
2. https://blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk
3. https://www.cyphort.com/emotet-cookies-c2-fakes-404/
4. https://www.cisecurity.org/emotet-changes-ttp-and-arrives-in-united-states/
5. https://myonlinesecurity.co.uk/open-the-attachment-to-view-the-document-malspam-delivers-a-multitude-of-malware/